- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
Common Information Model Event-naming Format
Events in the common information model framework are defined via a rich, multi-level hierarchy of context elements. They are not confined to a single title or description. However, a rigid event-naming convention is necessary to ensure that events are readable and manageable. Such a convention also makes it possible to create new types of events that conform to the common information model structure.
Accordingly, the Exabeam event-naming format is based on the context elements listed below and can be represented as follows: subject-sub_subject-activity:outcome
Subject (optional) – Listed first, the subject is the main target of an event.
Sub_subject (optional) – The sub_subject describes properties of the subject that are the target of an activity.
Activity – The active operation that was performed against the subject.
Outcome – An indication of whether the event had the intended outcome. Was it a success or a fail?
In addition, note that activities are only phrased in the present tense. Be sure to observe the correct naming structure and phrasing when creating new events.
Sample event names:
user-password-modify:fail
file-write:success
email-send:success
endpoint-login:fail